My tour guide had worked the cipherlock to get us into the
SCIF, and I was thinking ahead to my first trip to
the toilets on my own (and hopefully back!), so I asked
what the combination was.

"Oh, it's 'FACTORY'", he said.

I dutifully leaned down to examine the cipherlock.
Huh.
Five buttons: 1, 2, 3, 4, 5 and no letters.
How am I supposed to spell the word
FACTORY with the digits 1–5?

I asked, and received a look of disbelief that I was so naive
as not to realize that — of course — they keep
their cipherlocks at the factory default so anyone with
half a clue knows how to get in.
Well, I was SO naive that I had to ask what that default was.
That got me a look of disgusted disbelief.

It's 2+4-3 for that brand.
That is, 2 and 4 at the same time, then 3.
That's conveniently right around the middle and
a sequence I thought I had better remember.

It's more secure at the youth hostel

Now I more recently taught a course on information security
in Annapolis, Maryland, which
meant that most of the attendees were from
NSA
or a related agency,
or from their many contractors and their subcontractors.

I told my story about the factory default locks
and they chuckled at my naivete,
and then chuckled a little uncomfortably because many
of them had seen that sort of thing, sometimes recently.

The exterior doors and bedrooms had cipherlocks with TEN digits
and FOUR number combinations. So, let's see, a combinatorial
advantage of 10,000 vs 125, or an 80:1 ratio.

53 = 125104 = 1000010000/125 = 80

But no, it's far better than that.
I was going to leave Tuesday afternoon.
I checked out and stored my pack that morning and did
a few more things until after lunch.
Then they had to buzz me back into the building when
I returned to pick up my things, because I had checked out
and the unique door codes specific to me had expired at noon.

That's right, everyone staying there gets unique combinations
for the outer door and the door to their room,
good only for the length of their stay.
As they explained it to me, they just find it far easier
to operate that way. Since you obviously
want a combination to work for a limited time, and you don't
want the hassle of announcing daily door codes, you have unique
ones for each guest's visit. And, if you were the sort of place
wanting to enforce some sort of audit trail as opposed to just
keeping the vagrants and crazies and thugs out of the building
(this being
Baltimore,
after all), you would also get that.
Yes, that was the obvious and easy solution, at least for them.

So.... The next time I teach an infosec class, I'll tell the
Fort Belvoir cipherlock story.
But now I have a new Part Two for the story

Only trustworthy people can get drivers' licenses,
right?

The U.S. has a lot of Security Theatre that accomplishes
nothing beyond inconvenience and waste of time and money.
There is an obsession with state driver's licences —
if you have one, you must be no threat, because you can't
get in without showing one, but as soon as you show that
you are authorized to operate motor vehicles,
you can go right in.
This is despite the fact that every one of the
9/11 hijackers had valid U.S. state driver's
licenses.

One time in Washington D.C. I saw that the Department of
the Interior had a small museum with an exhibit of photographs
of UNESCO World Heritage Sites in the United States.
That sounded interesting, so I went.

Entrance to the Department of the Interior building requires
your participation in some silly security theatre.
The guard first looks at your driver's license, and I would
wager that mine was the first Indiana one he could remember
seeing.
He clearly did not really know whether what I had
handed him was a valid Indiana driver's license
or not.
But he stared at it for a number of seconds, handed it
back, and told me to go over to a podium across the lobby
and sign in on the visitors' log.

So I signed in as I always do in these situations:
Richard Milhous Nixon.

On the rare occasions when you also have to sign out,
I am sometimes pleased to see in the useless log that
my vice-president Spiro T Agnew signed in soon after I did.

Richard Nixon.
Or me.

U.S. Department of the Interior.

How should this really be done?

Go to a major office building in Manhattan some time.
The guards are quite friendly, there's little of the
obligatory threatening thug attitude that seems to be
required in Washington.
But what they do is useful — They look at your ID,
but then they slide it into a device designed especially
to photograph ID cards and passports.
They also have you look at a small digital camera.
They now have a photograph of you and of your ID, and
they issue you a limited-time badge (usually a sticker).
That often includes a bar code or speckle code required
to get you through the turnstyle.

Oh, and how was the museum?

Quite lame, beyond the nice new pictures of the World
Heritage sites.

My favorite part was one of the display cases
explaining what the Department of the Interior does.
It said that Interior controls mineral rights, the
extraction of which provides material vital for
everyday household items: